Interactive Investigation

Most organizations have more than a dozen security tools and a typical incident investigation process includes analysts looking at these tools for relevant security data. Operating in these tool consoles requires multiple browser tabs, credentials to these tools, and an understanding of their interfaces. This creates challenges for analysts and results in ‘dead time’ through tab switching, copy-pasting documentation, and collecting fragmented information.

Demisto’s interactive investigation features – a ChatOps-based War Room, an ML-powered chatbot, and a robust command-line interface – form a powerful toolkit for analysts to collaborate, run live security commands, and learn from each incident.

Defining Security ChatOps

interactive investigation infographic

The simplest way to define ChatOps for security is as a platform for conversation-driven investigations. When security analysts, security tools, chatbots, and IR workflows exist in the same chat window and reinforce each other in a virtuous cycle: that’s ChatOps in action. All these components feed each other in a virtuous cycle, enabling investigation, collaboration, and documentation at one source.

View Infographic

The Need For Interactive Investigation


Lack of skilled analysts

With a shortage of millions of analysts expected over the coming years, many SOCs are understaffed, leading to increased workload, stress, and rate of error among staffed analysts.


Rising alert numbers

With an increased threat surface, a greater number of entry vectors for attackers, and an increase in specialized cyber security tools, the number of alerts are constantly on the rise. Analysts need help in identifying false positives, duplicate incidents, and keeping the alert numbers in check without burning out


Product proliferation

Analysts use numerous tools – both within and outside the purview of security – to coordinate and action their response to incidents. A recent NASDAQ report stated that the average organization uses up to 15 products! This involves lots of screen switching, fragmented information, and disjointed record keeping


Siloed work environments

An implicit but dangerous problem that mid to large sized SOCs face is security analyst tunnel vision and extreme narrowing of skill-sets. There is rarely, if ever, any cross-pollination of skills across analysts that result in effective joint investigations and reduced resolution times.


The Bus Factor

Since security analysts are at such a premium, a sudden personnel loss can leave SOCs in a state of disarray. Senior analysts take most of their expertise with them when they leave and little knowledge remains stored within the organization.

With all these challenges still present and growing, interactive investigation can be a force multiplier for SOCs, providing analysts with a customizable canvas to conduct joint investigations, coordinate across security products in real-time, and document the results of their actions on the same platform.

Download Whitepaper

Is Your SOC Ready For Interactive Investigation?

There is a right and wrong time to bring in interactive investigation features for your security operations and incident response. If you roll out interactive investigation when the timing, resources, or need fitment aren’t right, you will not only fail to get benefits out of those features, but also potentially close the door for future implementation when the need is more explicit.

Before finalizing pilot projects for interactive investigation, some factors you should evaluate are: the nature of automation at your organization, existing problems with task-tracking, accountability, and documentation, issues with product proliferation, and alert fatigue challenges post-automation

Read Evaluation Criteria

Makings of a True Interactive Investigation Platform

Read Technical Paper